Main Page

effect on BOM and DOM scripting

If all three of these conditions aren’t met, the two scripts are not allowed to interact. For instance, a script
running on
cannot access a page from
because these are considered dif-
ferent domain names (even though
is technically a subdomain of
). This
same script can’t access pages from
because it has a different port number or from
because it’s a different protocol (not
The effect on BOM and DOM scripting
These rules affect the way you can interact with the BOM and the DOM. For instance, you cannot access
object for any page from a different origin, meaning that you can’t access any of the DOM
structure. The following two lines illustrate the issue:
alert(frames[1].document.location.href); //fails
The previous code should output two alerts, each displaying the URL of the page in the second frame
(the frame at index 1). You may recall from earlier in the book that both the
objects have a
object as a property. If the script using these two lines of code is from a differ-
ent origin than the page contained in the frame, the second line of code fails because the script cannot
access the
object or any of its properties. The script can, however, access the
object (represented by
) and can still access all the other proper-
ties of the window.
You may also remember from earlier in the book that the XML HTTP Request object (in all browsers)
and the Web Service functionality work only with resources from the same domain; this is yet another
instance where the Same Origin Policy takes effect. It also applies to plugins.
The exception to the rule
Common logic dictates that
belong to the same domain, so they
should be able to communicate with one another. As it turns out, the browser developers agree and have
provided a way to allow such communication.
In the pages from each subdomain, a single line of script can be included to circumvent the Same Origin
Policy. This is done by setting the
property as shown here:
document.domain = “”;
This simple line of code then eliminates all the security blocks for JavaScript communication. Note, how-
ever, that you can set the domain only to a value already in the URL, so a page from
not set the domain to
, because that is a violation of the Same Origin Policy.
Window object issues
A number of measures protect end users from malicious scripts attempting to use windows.
First and foremost, windows cannot be opened off screen or smaller than 100 x 100. If you specify coor-
dinates that are off the screen, the window is automatically placed on the screen in a location close to
where you specified, but with enough space to see the entire window. Likewise, if you try to open a
Chapter 19
22_579088 ch19.qxd 3/28/05 11:43 AM Page 564

JavaScript EditorFree JavaScript Editor     Ajax Editor